Darth Rob - ASP.Net Topics

WIF is an SDK (and accompanying runtime) that allows a .Net developer to take advantage of WS-Federation and WS-Trust to authenticate a user and make authorization decisions based on claims about that person.

It's a drop-in replacement for simple Windows Auth or Forms Auth in the ASP.Net world, and has a handy method for flowing an identity securely from ASP.Net to WCF without having to write a ton of impersonation code.  From the perspective of a developer, authentication just magically works.  If you're using WIF, you can be guaranteed that if a user is accessing your application, they've been authenticated.  Then, all that's left for you to do is inspect the claims to make authorization decisions.

I've been playing a lot with the new .Net 4.0 features over the past year, and I'm very impressed with Microsoft's commitment to open standards.  Most recently, I was tasked with applying Windows Identity Foundation (WIF) to a product that was in development.  I did what any dutiful software engineer would do: I bought a book.  Then, I set the book aside and said to myself, "Self, you don't need no stinkin' book!  You can figure this stuff out!"  Needless to say, a few hours later, I started reading the book.

The book, Programming Windows Identity Foundation, is pretty decent.  It's by no means perfect.  I found several mistakes, beginning with the first code example which wouldn't even compile.  The online errata had only one "verified" entry and dozens of "unverified" entries going back over a year.  Despite this, I still recommend the book for the uninitiated.